Origin server certificates doesn't match origin_ca_ecc_root.pem

If I generate a cert with origin server is generated with this info

|Subject|/O=Cloudflare/ Inc./OU=Cloudflare Origin CA/CN=Cloudflare Origin Certificate|

|Issuer|/C=US/O=Cloudflare/ Inc./OU=Cloudflare Origin SSL Certificate Authority/L=San Francisco/ST=California|

But the Cloudflare Origin CA root certificates https://developers.cloudflare.com/ssl/0d2cd0f374da0fb6dbf53128b60bbbf7/origin_ca_ecc_root.pem

Doesn’t make trusted my certs when I upload it to my firewall as a certificate authorities.

How can I fix this? where is the problem?

May I ask have you selected “ECC” while generating an Origin CA Certificate or rather “RSA” from the Cloudflare dashboard → SSL/TLS → Origin server → Origin Certificates → Create certificate?

Therfore, when you copy-pasted the “root” .pem file was it “ECC” or “RSA”?

Have you restarted your service at server (in case if something is cached or not loaded due to the new certs being applied, etc.)?

Kindly, could you try doing it again? Try to re-generate “ECC” Origin CA certificat and make sure to copy-paste the “root .pem” which is also “ECC”.

1 Like

Hi, yes I choose ECC for both

It might be possible that the cause is that I have generated an origin cert with “zzyyzz.domain.com.es” and *.domain.com.es" and I only have DNS records A type for the subdomains and not for the “zzyyzz.domain.com.es” domain?

“com.es” is a TLD

Hi, yes I pick ECC for both

It might be possible that this is because I don’t have DNS records for my domain and only have DNS records for the subdomains, and the cert I generated was with “mydomain.com.es” and “*.mydomain.com.es” and the first one doesn’t have a DNS record?

“.com.es” is a TLD like “.net”

EDIT: I Confirm that this was why it wasn’t working, creating a cert with a subdomain or with a *.domain.com.es works.

1 Like